Thinktecture IdentityServer v3指南-证书 [英] Guidance on Thinktecture IdentityServer v3 - certificates
问题描述
我正在准备Thinktecture IdentityServer v3的演示。目的是使身份服务器在Azure网站下作为其自己的网站运行。
I am working up a demo of Thinktecture IdentityServer v3. The intention is to have the identity server run as it's own website under Azure Websites.
将有其他(多个)Azure网站将使用身份服务器执行以下操作:验证用户身份。
There will be other (more than one) Azure Websites that will use the identity server to authenticate users.
根据入门指南(请参阅 https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/入门),我的这个主要是起作用。
Based on the getting started walkthrough (see https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started) I have this mostly working.
我在遇到证书问题的地方。
Where I am having trouble is with the certificates.
对于演示,我想创建自己的证书证书-但是我不确定该怎么做。任何指导都会有所帮助。
For the demo, I'd like to create my own certificate - but I am unsure of what I need to do. Any guidance would be helpful.
我对此有其他疑问:
- 可以使用自签名证书吗?
- 在生产方案中,自签名证书是可以接受的,还是真的需要由受信任的根证书颁发机构签名? li>
- 如何将这些证书安装到Azure网站(或可以从磁盘加载)
- Are self-signed certificates able to be used?
- In a production scenario, would self-signed certificates be acceptable, or would they really need to be signed by a trusted root authority?
- How would these certificates be installed into an Azure Website (or can I load from disk)
推荐答案
好吧-严格来说,您需要两个证书-一个用于SSL和一个用于签名-从技术上讲,它们可以是相同的-但不必如此。它们也有不同的要求。
Well - strictly speaking you need two certificate - one for SSL and one for signing - technically they could be the same - but don't have to. They also have different requirements.
对于SSL,您需要在客户的受信任列表中拥有一个证书。通常,这要么是来自商业CA的证书,要么是来自内部PKI的证书。
For SSL - you need have a cert that is in the trusted list of your clients. Typically this is either a cert from a commercial CA - or from an internal PKI.
对于签名证书,您可以生成自己的证书,例如
For the signing cert - you can generate your own - e.g. using makecert.
IdSrv在加载证书时非常灵活-您可以从任意来源检索它们-通常是从Windows证书存储区(当您具有对服务器的管理员级别访问权限时) )-文件系统,还是来自嵌入式资源。
IdSrv is pretty flexible in loading certs - you can retrieve them from arbitrary sources - typically from the windows certificate store (when you have admin level access to the server) - or the file system, or from an embedded resource.
我们的示例主机使用嵌入式资源方法,该方法对于Azure WebSite确实适用。对于生产场景,您通常需要更大的灵活性(例如,用于翻转)-因此,我将考虑从Blob存储。
Our sample host uses the embedded resource approach which does work fine for Azure WebSites. For production scenarios you typically want more flexibility (e.g. for roll over) - so I would look into loading it from e.g. blob storage.
这篇关于Thinktecture IdentityServer v3指南-证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
